[#915] Automatically request/renew Let's Encrypt SSL/TLS certificates for all vhosts



Detailed description

Wald - current situation

We're running a FusionForge 6.1.x instance named "Wald", reachable via http://wald.intevation.org/ and https://wald.intevation.org/

Currently the certificate used for https is from our own CA (root certificate downloadable at https://ssl.intevation.de/), which isn't known by default by any web browsers, so we would like to switch to certificates from Let's Encrypt.

Let's Encrypt client

On other servers we are currently using the program "acmetool" from https://github.com/hlandau/acmetool to request/renew Let's Encrypt certificates. To support the new ACMEv2 protocol, at least version 0.2.1 (currently only available as a beta release) is needed. A simple alternative client could be https://dehydrated.io/

Implementation proposal

Originally I thought we would need a certificate including SAN entries for *.wald.intevation.org, wald.intevation.org and every alternative host name pointing to Wald, e.g. mpuls.org and http://www.mpuls.org.

But wildcard certificates and Let's Encrypt are a little bit complicated to handle automatically, especially in combination with additional SAN entries for different domains, so I was thinking about the following way:

A script on Wald provides a list of all used host names, i.e.: - http://www.wald.intevation.org - wald.intevation.org - scm.wald.intevation.org - hg.wald.intevation.org - lists.wald.intevation.org - what other host names *.wald.intevation.org did I miss? - all project pages, e.g. adminton.wald.intevation.org - the manually configured vhosts that are listed in httpd-ssl.vhosts (e.g. mpuls.org and http://www.mpuls.org), but EXCLUDING those that have their DNS entry no longer pointing to Wald, e.g openvas.org.

Wald could then request a single SSL certificate containing SAN entries for all hostnames using e.g.

acmetool want http://www.wald.intevation.org wald.intevation.org ...more...

and use this single certificate for everything (assuming Let's Encrypt allows that many SAN entries, I haven't verified this).

Before using "acmetool want", the old list of vhosts should be cleared using "acmetool unwant ...old list of hostnames...", so no further verification requests are triggered for hostnames that are no longer in use and may now point to a different webserver.

The web server of Wald would need to direct all requests to /.well-known/acme-challenge/ for all configured vhosts to the challenge directory created by acmetool.

I know that projects on a FusionForge server can be configured to use their own SSL certificates (I assume using SNI), but I don't want to manually do this, especially since the verification challenges by Let's Encrypt have to be done anyway and the certificates have a short life span (I think 3 months).


The steps to implement this would be:

  1. A script that lists all used host names that have a DNS entry pointing to the server
  2. A script that uses the output of 1. determines if the list has changed. If yes calls "acmetool unwant (all previous hostnames)" followed by "acmetool want (all current hostnames)". (this script will regularly run, e.g. via cron or triggered by vhost changes)
  3. A configuration change to Apache to offer /.well-known/acme-challenge/ on all configured vhosts.
General Information
Submitted by:
Thomas Arendsen Hein
Date Submitted: 2020-01-28 12:12
Last Modified by:
Thomas Arendsen Hein
Last Modified: 2020-01-28 12:12
Permalink: https://fusionforge.org/tracker/a_follow.php/915
Internal Fields
Data Type: Support requests
Assigned to: Nobody (None)
State: Open
Priority: 3
Default ExtraField 2-columns Widget
Follow-up tabs

No comments have been posted

No attached documents

No related commits.

No changes have been made to this item

No relations found.